Data Privacy Framework Privacy Policy

Effective Date: March 13, 2026

Applicability

If your personal data is processed by Epic in our role as a data processor or service provider to our healthcare customers (including those in the European Economic Area, the United Kingdom, or Switzerland), our only option is to redirect your request to that healthcare customer. You may save time by reaching out to your healthcare provider directly.

General

Epic Systems Corporation (“Epic” or “we/our”) and its subsidiaries develop, implement, and support healthcare software that helps doctors, nurses, and other providers deliver high-quality care for patients. While helping our customers install and use our software, Epic employees sometimes need to access personal data (including sensitive health information) that is stored in our customers’ healthcare information software systems. Epic employees only access this information with permission from our customers. In limited circumstances, Epic also controls personal data about certain individuals.

We take very seriously our obligation to protect the confidentiality of, and to limit uses and disclosures of, such personal data.

Epic complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. Data Privacy Framework (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) (collectively, the “Data Privacy Frameworks”) as set forth by the U.S. Department of Commerce’s International Trade Administration (“ITA”) regarding transfers to U.S. organizations of personal data from European Economic Area (“EEA”) member countries, the United Kingdom (and British overseas territories such as Gibraltar) (“UK”), and Switzerland (collectively “EEA, UK, and Swiss personal data”). This policy is intended to inform people in the EEA, UK, and Switzerland about the safeguards we have in place for protecting the EEA, UK, and Swiss personal data. Human resources (HR) data is not included in the scope of this privacy policy.

Epic has certified that it adheres to the Data Privacy Frameworks’ Principles of: notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement, and liability (collectively, the “Principles”). To learn more about the Data Privacy Frameworks and to view Epic’s certification, please visit https://www.dataprivacyframework.gov/ and https://www.dataprivacyframework.gov/list.

The following subsidiaries in the United States are included in our certification under the Data Privacy Frameworks:

• Boost, Inc.
• Epic Health Research Network Inc.
• Epic Hosting, LLC
• EpicCorps International, LLC

Epic and its subsidiaries are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”) relative to the Data Privacy Frameworks.

We may make changes to this policy from time to time and will post them on this website. Such changes will remain consistent with the requirements of the Principles and will reflect our continued commitment to protect the privacy and security of personal data.

Notice

For EEA, UK, and Swiss personal data processed by Epic on behalf of organizations that use Epic software:

Organizations that use Epic software in the EEA, the UK, and Switzerland are responsible for notifying you of the purposes for which your personal data is collected, the uses to which it will be put, and the types of third parties to which it may be disclosed. In addition, when required to do so under the applicable EEA, UK, or Swiss standards, these organizations are responsible for offering you choices about whether your personal data will be disclosed to third parties or used for any purpose incompatible with those for which it is collected or subsequently authorized.

For circumstances in which Epic controls EEA, UK, and Swiss personal data:

In these circumstances where Epic controls personal data that we collect from you directly, we are notifying you of the following additional information:

• Epic participates in the Data Privacy Frameworks. You can view the Data Privacy Framework List at the following address: https://www.dataprivacyframework.gov/list.
• The personal data Epic controls about you consists of data you submit to Epic directly for the following purposes, including:
  • Contact information you submit to our websites in order to sign up for Epic mailing lists, newsletters, campus tours, etc.
  • Personal data you provide to us to sign up for usability testing or that you provide to us during such testing
  • Personal data you provide to us to make user accounts on our websites such as open.epic and Vendor Services
  • Personal data you include in stories you submit to Epic via MyChart.org
• Epic is committed to following the Principles for personal data we receive from the EEA, the UK, and Switzerland.
• You may contact Epic with inquiries or complaints via the methods outlined in the Contact Epic section below.
• Types of third parties that may receive your personal data, along with the purposes for which they do so, are noted below and in the privacy policy or similar terms that apply when you send that data to Epic. Depending on the purpose for which you sent personal data to Epic, Epic may send your personal data to:
  • an email newsletter vendor (such as MailChimp) for creating and managing subscriptions to email newsletters to which you subscribe (such as the newsletters from EpicShare and Epic Research);
  • an electronic survey vendor (such as Qualtrics) for collecting personal data you submit when you sign up for Epic software usability testing;
  • third parties to facilitate your attendance at Epic events for which you have registered, including a mobile application vendor (such as EventMobi) for signing you up for event companion mobile applications, room block management software (such as Meeting Max) for providing access to event-specific hotel room blocks, and payment processing vendors (such as PayPal) for processing your registration fees; and
  • enterprise business software (such as Microsoft’s suite of products) for general administrative purposes. Personal data you send to Epic when you email us, sign up for an Epic campus tour or usability testing, register for an Epic event, make a user account for one of our websites, or through other means may be stored in an Epic-managed, third-party cloud storage system to facilitate the administration of your requested service.
• You have the right to access your personal data controlled by Epic. You also have the right to request that we limit the use and disclosure of your personal data. Epic’s ability to limit the use and disclosure of your personal data will vary depending on the noticed purpose for which you provided Epic with your personal data. If we are unable to limit the use or disclosure of your personal data, we may be able to delete it. Please reach out using the contact information provided in the Contact Epic section below to exercise these rights.
• If you have complaints about how Epic is handling your personal data, you may contact the International Centre for Dispute Resolution, the international division of the American Arbitration Association (“ICDR-AAA”), to address those complaints. The ICDR-AAA is a dispute resolution provider based in the United States and can provide appropriate recourse to you free of charge.
• You can request arbitration under certain circumstances through the Data Privacy Framework Panel. To learn more about this process, please visit https://www.dataprivacyframework.gov/.
• Epic may be required to disclose personal data in response to lawful requests by public authorities.
• Epic requires third parties that may receive your personal data from Epic to process your personal data in a manner consistent with the Principles. Epic may be liable for a third-party processing your information transferred by Epic inconsistent with the Principles.

Choice

For EEA, UK, and Swiss personal data processed by Epic on behalf of organizations that use Epic software:

For personal data Epic processes about you on behalf of organizations that use Epic software, Epic only processes this data based on instructions from those organizations. Accordingly, please reach out to those organization(s) for requests to limit disclosures and use of your personal data.

For circumstances in which Epic controls EEA, UK, and Swiss personal data:

In these circumstances, individuals can request to opt out of having their personal data shared with a third party or used for a purpose other than the original stated purpose. If you would like to exercise this choice, please reach out to us using the contact information provided below.  

Accountability for Onward Transfer

We do not provide your personal data to other third parties unless they also adhere to the Principles outlined above (e.g., due to participation in this Framework) or they’ve entered into a written agreement with us that provides the same level of protection as the Principles, such as an agreement that contains the standard contractual clauses published by the European Commission for GDPR-compliant data transfers. Additionally, if we do provide your personal data to such third parties, we do so only for the same uses for which we are authorized by the organizations that use Epic software or for the purposes for which you provided Epic your personal data. For example, if you provide Epic your email address to subscribe to an email newsletter, your contact information may be sent to a third-party email newsletter service to help us facilitate delivery of the newsletter you subscribed to.

Security

We take reasonable and appropriate precautions to protect personal data in our possession (including sensitive data concerning health) from loss, misuse, unauthorized access, disclosure, alteration, and inappropriate destruction.

Data Integrity and Purpose Limitation

For EEA, UK, and Swiss personal data processed by Epic on behalf of organizations that use Epic software:

We do not process personal data in any way that is incompatible with the purposes or instructions our customers have provided to us. Applicable law requires our customers to take appropriate steps to ensure that such data in Epic’s possession that is processed on their behalf is reliable for its intended use, accurate, complete, and current. Epic only retains data for as long as we are required to do so per the instructions and authorization given to us as a data processor for our healthcare customers.

For circumstances in which Epic controls EEA, UK, and Swiss personal data:

In these circumstances, we only process data for the purposes authorized by the data subjects. We also take steps to ensure this data is reliable for its intended use, accurate, complete, and current.

Access

For EEA, UK, and Swiss personal data processed by Epic on behalf of organizations that use Epic software:

When Epic receives personal data from organizations that use Epic software in connection with supporting their operations, we will follow their reasonable instructions regarding actions Epic can take on your personal data. We also expect our EEA, UK, and Swiss customers to comply with the Access standards applicable to them in the EEA, the UK, and Switzerland. You are encouraged to contact these organizations directly in order to address any concerns about your data.

For circumstances in which Epic controls EEA, UK, and Swiss personal data:

In these circumstances, you may contact us with questions about accessing, correcting, amending, or deleting data by using the contact information provided below.

Recourse, Enforcement, and Liability

We train our employees and regularly communicate to them about the proper use, disclosure, and handling of personal data. Any Epic employee who fails to handle personal data appropriately or fails to report any violation of Epic’s internal security and privacy practices of which they are aware, is subject to appropriate disciplinary action, which can include termination.

For EEA, UK, and Swiss personal data processed by Epic on behalf of organizations that use Epic software:

If you have concerns about our use, disclosure, or handling of personal data (including health data) processed by Epic on behalf of organizations that use Epic software, please reach out to your healthcare organization(s).

For circumstances in which Epic controls EEA, UK, and Swiss personal data:

In these circumstances, individuals in the EEA, the UK, or Switzerland who have concerns about our use, disclosure, or handling of their personal data are encouraged to contact our Data Privacy Framework Program Monitor by emailing PrivacyInquiriesEurope@epic.com. If we are unable to resolve your concerns, your independent recourse mechanism is to contact the International Centre for Dispute Resolution, the international division of the American Arbitration Association (“ICDR-AAA”) at https://go.adr.org/dpf_irm.html.

If your concerns are not fully resolved after you go through Epic and the ICDR-AAA, you can request arbitration through the Data Privacy Framework Panel. To learn more about this process, please visit https://www.dataprivacyframework.gov/.

Contact Epic

Contact Epic at PrivacyInquiriesEurope@epic.com with questions about this policy or the Data Privacy Frameworks. Note that if your personal data is processed by Epic in our role as a data processor or service provider to our healthcare customers (including those in the EEA, the UK, or Switzerland), our only option is to redirect your request to that healthcare customer. You may save time by reaching out to your healthcare provider directly.

If you wish to contact Epic about a topic unrelated to your personal data, please see our Contact Us page.